Thanks to Chen Yu, Rowland Yu, William Lee, and Ferenc László Nagy of SophosLabs for their behind-the-scenes work on this article.
Adware is typically viewed as a nuisance that does no real harm. But in recent research, SophosLabs has seen adware in Google Play that does more than just deliver ads. This strain can collect the user’s personal information, including email address, and send them to a remote server.
Sophos detects this adware library as Android XavirAd and the information-stealing component as Andr/Infostl-BK.
XavirAd is found in more than 50 Google Play apps, some of which have more than a million downloads. For all the impacted apps combined, the download number is about 55m, said SophosLabs researcher Chen Yu. One such app is Add Text on A Photo.
With these apps installed, users will have a full screen advertisement popping up at regular intervals even when the app is closed. For example:
Users have quickly noticed something wrong after downloading these apps, and their discontent can be seen in the Google Play store:
But XavirAd can do more than just popping up ads. Once the app is started, the XavirAd library contacts its server and gets the configuration code:
The server responds with advertisement settings including full screen ad intervals, and saves them in shared preferences. The domain api-restlet.com registered for this purpose appears to be a year and a half old, with origins in Vietnam:
It then downloads another .dex file from cloud.api-restlet.com:
The downloaded .dex file collects the following information from the user’s phone:
- User’s email address for Google account
- List of apps installed
- IMEI identifier and android_id
- Screen resolution
- Manufacturer, model, brand, OS version
- SIM operator
- App installation source
It then encrypts and sends them to a web address:
XavirAd works very hard to hide itself from security inspection, Yu said. The strings it uses are all encrypted. Each class has its own decryption routine in the class constructor. Although the algorithm remains the same, the keys are different in each class.
Yu said it also uses anti-sandbox technology to hide from dynamic analysis. It stops the malicious behavior it finds it’s running in a testing environment. First it checks the emulator:
It then checks the following strings for the emulator:
It also checks the user’s email address for another safety net that it’s not run by a tester. If the email address contains the following strings, it will stop the action:
The following Google Play apps contain XavirAd, and users may want to avoid them: